Target IP: 10.10.243.240
There are three TCP ports open on the target machine: FTP, SSH, and HTTP. It looks like the FTP application does not allow anonymous login; therefore, I will start enumeration with the HTTP application on port 80.
Port 80: HTTP
Performing a curl request to the target machine informs me to add team.thm to the /etc/hosts file. I appended the host to the hosts file.
Browsing to http://team.thm displays the webpage above.
Running gobuster dir -u http://team.thm -w /usr/share/wordlists/dirb/big.txt -x php,html,txt displays the interesting result above. The robots.txt page contains one possible username: dale.
Browsing to /scripts/script.txt contains the content above. This script mentions there is another script that contains the credentials. I tried changing the extension of the script to other names like .sh, .py, etc.
But when I changed the extension name to .old, I got a hit. I now have the credential ftpuser:T3@m$h@r3.
Port 21: FTP
Using the credential from the old script file, I gained access to the FTP application. There are interesting content here.
The workshare directory contains a text file called New_site.txt which contains the message above. There are two possible usernames: dale and gyles.
I tried putting team.thm.dev inside /etc/hosts file but that did not work either. Then I performed subdomain fuzzing using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.team.thm" -u http://team.thm -fs 11366 and obtained the result above. There is an interesting subdoman www.dev.
I appended the hostnames above inside /etc/hosts file.
And now http://www.dev.team.thm/ works and displays the webpage above. It looks like a dev site that is not fully built.
There is an interesting parameter called page. Can I perform LFI?
I can perform LFI using the interesting parameter page. I obtained the /etc/passwd file and there are two usernames: dale and gyles. I tried to obtain the id_rsa file of both users but I had no luck.
After I performed LFI search with ffuf using the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://www.dev.team.thm/script.php?page=../../../../../../../FUZZ -fs 1, I notice an interesting payload etc/ssh/sshd_config which contains the SSH key of dale. Using curl, I obtained the SSH key and saved it on my local machine.
And now I have a foothold on the machine using the SSH key.
I transferred pspy64 to the target machine and received the output above. There are three main scripts
/usr/local/bin/main_backup.sh/opt/admin_stuff/script.sh/usr/local/sbin/dev_backup.sh
The binary /home/gyles/admin_checks can be executed by gyles with sudo. By exploiting the input, I opened a shell as gyles.
gyles is a member of the group admin meaning I can modify the script /usr/local/bin/main_backup.sh.
And now I have a root shell. I injected the reverse shell script inside main_backup.sh and obtained a root shell on port 21 on my local machine.
The user.txt flag once I gained a foothold on the machine as dale using SSH.
The root.txt flag.